41
edits
Changes
From SME Server
Jump to navigationJump to searchClient Authentication:Centos via sssd/ldap (view source)
Revision as of 22:25, 27 October 2015
, 22:25, 27 October 2015Created page with "{{Warning box|This how-to should be validated by Daniel before you use it!!.}} {{Warning box|This is based upon limited testing and a small number of users.}} ==Introductio..."
{{Warning box|This how-to should be validated by Daniel before you use it!!.}}
{{Warning box|This is based upon limited testing and a small number of users.}}
==Introduction==
This how-to shows how to configure a SME-server (>=8b6) and a client Centos >= 5 for a LDAP based SSSD authentication of the client machine on the configured user accounts of the SME.
The main advantage in comparaison to nss_ldap is that the authentication informations stay in the cache and the authentication can therefore furter work, even in offline mode (when the server not available).
Nevertheless, the creation of a local user with the admin rights is recommanded for the emergency case.
These lines are a translation of the method given by Daniel: https://wikit.firewall-services.com/doku.php/tuto/ipasserelle/authentification/centos_sssd_on_sme. Many thanks to him for it.
In this how-to: we assume that:
the host name of the SME is "sme-server" and the domain is "domain.tld".
==Configuration of the SME-server==
There is quite no necessary configuration of the SME.
*The only thing to do is to create a user (named "auth" in this how-to) via the server-manager and to give him a valid password ("something_very_secret" in the how-to).
It is not required to make "auth" member of any group.
*In addition, it is recommended to install and configure [[PHPki]] in order to make the managing of the self-created certificates easier.
==Configuration of the client CentOS==
===Manage the CA of the SME===
after having installed phpki, go to https://www.domain.tld/phpki and download on the client machine the certificate of authority (ca.crt).
Place a copy of it or of another CA into /etc/phpki/tls/certs/ and give the 644 permissions:
cp ~/download/ca.crt /etc/phpki/tls/certs/
chmod 644 /etc/phpki/tls/certs/ca.crt
===Install the required package===
First of all, install the required package:
yum install sssd
===Configure SSSD===
The configuration is made by the file /ets/sssd/sssd.conf.
* At the beginning of this file, the used domain has to be set. In sssd, a domain can be taken as a source of content. it is possible to set several domains in order of priority.
* And deeper in the file, we will add the configuration of the domain
If the file doesn't exist by default it has to be created and it needs to get the permissions 600 to allow the daemon to start:
cat <<'_EOF' > /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[nss]
[pam]
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://sme-server.domain.tld
ldap_default_bind_dn = uid=auth,ou=Users,dc=domain,dc=tld
ldap_default_authtok = something_very_secret
ldap_default_authtok_type = password
ldap_search_base = dc=domain,dc=tld
ldap_user_search_base = ou=Users,dc=domain,dc=tld
ldap_group_search_base = ou=Groups,dc=domain,dc=tld
ldap_user_object_class = inetOrgPerson
ldap_user_gecos = cn
ldap_tls_reqcert = hard
ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
ldap_id_use_start_tls = true
# uncomment below if the SME is a âiPasserelleâ
#ldap_user_shell = desktopLoginShell
# comment below if the SME is a âiPasserelleâ
override_shell = /bin/bash
cache_credentials = true
enumerate = true
# It is possible to filter the logins via a LDAP-filer
# by commenting the both lines below.
# In this exemple, only the users member of the group netusers
# will be valid on this host.
# posixMemberOF is a parameter only for a iPasserelle
#access_provider = ldap
#ldap_access_filter = (|(posixMemberOf=admins)(uid=backup))
_EOF
chmod 600 /etc/sssd/sssd.conf
{{Tip box|Make sure that the file /etc/pki/tls/certs/ca.crt contains the CA that has sign the certificate of the SME (if PHPki is used, a version > 0,82-13 is required).}}
===Configure nss===
To allow nss to use sssd, you should check that sss is set as a source for users and groups in the /etc/nsswitch.conf.
[...]
passwd: files sss
shadow: files sss
group: files sss
[...]
netgroup: files sss
{{Tip box|This has been done automatically from CentOS 7}}
===Check===
getent passwd
should show the ldap-users.
If it doen't work, you should start debugging by running sssd in interactiv mode (with sssd -i -d 5 for exemple).
===Configure pam===
pam must be configured on order to use sssd as a source too:
====CentOS 5====
rm -f /etc/pam.d/system-auth
cat <<'EOF' > /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so skel=/etc/skel umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
EOF
====CentOS 6 / 7====
rm -f /etc/pam.d/system-auth
cat <<'EOF' > /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so skel=/etc/skel umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
EOF
rm -f /etc/pam.d/password-auth
ln -sf system-auth /etc/pam.d/password-auth
That's all. It has only to be tested now.
When it works, the daemon sssd should be enabled at start:
chkconfig sssd on
or
systemctl enable sssd
[[Category:Howto]]
{{Warning box|This is based upon limited testing and a small number of users.}}
==Introduction==
This how-to shows how to configure a SME-server (>=8b6) and a client Centos >= 5 for a LDAP based SSSD authentication of the client machine on the configured user accounts of the SME.
The main advantage in comparaison to nss_ldap is that the authentication informations stay in the cache and the authentication can therefore furter work, even in offline mode (when the server not available).
Nevertheless, the creation of a local user with the admin rights is recommanded for the emergency case.
These lines are a translation of the method given by Daniel: https://wikit.firewall-services.com/doku.php/tuto/ipasserelle/authentification/centos_sssd_on_sme. Many thanks to him for it.
In this how-to: we assume that:
the host name of the SME is "sme-server" and the domain is "domain.tld".
==Configuration of the SME-server==
There is quite no necessary configuration of the SME.
*The only thing to do is to create a user (named "auth" in this how-to) via the server-manager and to give him a valid password ("something_very_secret" in the how-to).
It is not required to make "auth" member of any group.
*In addition, it is recommended to install and configure [[PHPki]] in order to make the managing of the self-created certificates easier.
==Configuration of the client CentOS==
===Manage the CA of the SME===
after having installed phpki, go to https://www.domain.tld/phpki and download on the client machine the certificate of authority (ca.crt).
Place a copy of it or of another CA into /etc/phpki/tls/certs/ and give the 644 permissions:
cp ~/download/ca.crt /etc/phpki/tls/certs/
chmod 644 /etc/phpki/tls/certs/ca.crt
===Install the required package===
First of all, install the required package:
yum install sssd
===Configure SSSD===
The configuration is made by the file /ets/sssd/sssd.conf.
* At the beginning of this file, the used domain has to be set. In sssd, a domain can be taken as a source of content. it is possible to set several domains in order of priority.
* And deeper in the file, we will add the configuration of the domain
If the file doesn't exist by default it has to be created and it needs to get the permissions 600 to allow the daemon to start:
cat <<'_EOF' > /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[nss]
[pam]
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://sme-server.domain.tld
ldap_default_bind_dn = uid=auth,ou=Users,dc=domain,dc=tld
ldap_default_authtok = something_very_secret
ldap_default_authtok_type = password
ldap_search_base = dc=domain,dc=tld
ldap_user_search_base = ou=Users,dc=domain,dc=tld
ldap_group_search_base = ou=Groups,dc=domain,dc=tld
ldap_user_object_class = inetOrgPerson
ldap_user_gecos = cn
ldap_tls_reqcert = hard
ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
ldap_id_use_start_tls = true
# uncomment below if the SME is a âiPasserelleâ
#ldap_user_shell = desktopLoginShell
# comment below if the SME is a âiPasserelleâ
override_shell = /bin/bash
cache_credentials = true
enumerate = true
# It is possible to filter the logins via a LDAP-filer
# by commenting the both lines below.
# In this exemple, only the users member of the group netusers
# will be valid on this host.
# posixMemberOF is a parameter only for a iPasserelle
#access_provider = ldap
#ldap_access_filter = (|(posixMemberOf=admins)(uid=backup))
_EOF
chmod 600 /etc/sssd/sssd.conf
{{Tip box|Make sure that the file /etc/pki/tls/certs/ca.crt contains the CA that has sign the certificate of the SME (if PHPki is used, a version > 0,82-13 is required).}}
===Configure nss===
To allow nss to use sssd, you should check that sss is set as a source for users and groups in the /etc/nsswitch.conf.
[...]
passwd: files sss
shadow: files sss
group: files sss
[...]
netgroup: files sss
{{Tip box|This has been done automatically from CentOS 7}}
===Check===
getent passwd
should show the ldap-users.
If it doen't work, you should start debugging by running sssd in interactiv mode (with sssd -i -d 5 for exemple).
===Configure pam===
pam must be configured on order to use sssd as a source too:
====CentOS 5====
rm -f /etc/pam.d/system-auth
cat <<'EOF' > /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so skel=/etc/skel umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
EOF
====CentOS 6 / 7====
rm -f /etc/pam.d/system-auth
cat <<'EOF' > /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so skel=/etc/skel umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
EOF
rm -f /etc/pam.d/password-auth
ln -sf system-auth /etc/pam.d/password-auth
That's all. It has only to be tested now.
When it works, the daemon sssd should be enabled at start:
chkconfig sssd on
or
systemctl enable sssd
[[Category:Howto]]
